Cybersecurity's Ceiling

Security spending and staffing are rising, but restrained resources are tempering market growth.

The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.

In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.

"Security spending is based on failure, rather than need. The more secure that you feel, the less you spend," says John Pescatore, director of emerging security trends for SANS Institute.

Cybersecurity indeed is growing, but just not as fast as you'd think.

IT security spending growth also is hampered by a lack of available talent to pull off the needed projects, says Jeff Pollard, principal analyst with Forrester Research.

"There are capacity restrictions," says Pollard. "It is not the available funds in the budget, but the fact that you can only do three, four, or five big projects a year because of the number of people, service providers, and employee skill sets you have."

One report by CyberSecurity Ventures pegs IT security spending to soar beyond $1 trillion in revenue over the course of a five-year period ending in 2021, with 12% to 15% annual growth.

But a larger pool of industry analysts and players are expecting a slightly less robust future - with annual revenue growth of less than 10%. Cisco Systems and IBM, for example, reported security revenue growth of 9% in the third quarter and 9% in the first quarter, respectively.

Gartner is projecting a more muted level of worldwide IT security spending. The research firm is predicting annual revenue growth to increase along the lines of 7.6% in 2017 to 8% by 2020, says Lawrence Pingree, a Gartner analyst and vice president.

Pingree says IT security spending is expected to reach $90.1 billion this year and increase to $113.1 billion by 2020.

And when viewing security spending as a percentage of the overall IT budget, nearly half of 400 IT professionals surveyed in a Dark Reading report, "How Enterprises Spend Their Security Dollars," say they expect to allocate 9% or less on security, with a sizable portion of this spend coming in at 5% or less. This level of security spending will largely remain in place for the next 12 months, given 40% of survey respondents noted they did not expect an increase in their overall IT budget, which in turn trickles down to the security budgets.

One possible contributor to tight security budgets and tempered growth in the industry is a desire by companies to achieve greater efficiencies with their existing technology. "Rather than spending more on security, boards are asking 'what are you doing to spend less and do it in a better way than what we are doing?'" Pescatore says. "Security in depth is spending in depth."

IT Job Growth

The shortage of workers may also be putting a cap on security market growth. When 2022 rolls around, IT security trade organization ISC2 is predicting a 1.8 million shortfall of cybersecurity professionals to fill empty or expansion positions around the world. That, in turn, might explain the bullish job growth forecasts from the Bureau of Labor Statistics that says information security analysts should see an 18% rise in job growth between 2014 to 2024.

However, recruiting firm Robert Half Technology expects a more muted growth rate of 5% for IT security positions. Robert Half and other IT security recruiters note that with a limited pool of infosec professionals to hire, that alone is keeping a lid on massive hiring growth.

A recent Dark Reading report on Surviving the IT Security Skills Shortage found that only 14% of the 400 IT and IT security professionals surveyed believe there are a sufficient number of skilled IT security professionals available on the market.

Meanwhile, the UK's separation from the European Union under Brexit also contributed to a slowdown in IT security hiring, as a number of new programs were put on hold that would otherwise drive jobs growth, says Owanate Bestman, an information security contract consultant for recruiting firm Barclay Simpson. The GDPR, however, is an IT security jobs driver, he says, with an estimated 30% of posted positions in the first quarter having some relationship to the new regulations.

There may not be enough infosec professionals to go around to fill those GDPR slots as well as other vacant security positions, so companies will need to seek out other ways to fill the void. Ray Rothrock, CEO of RedSeal, predicts that this will not necessarily equate to IT security growth.

"How do we prepare for this chronic skilled labor shortage?" Rothrock asks. "We need to learn to work smarter, to do more with less, to prioritize assets and vulnerabilities, to automate and integrate as much as possible."

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Agree - actually BOTH inputs, human and AI are important. I would trust, going forward, AI for the grunt work of malware analysis and then let a human evaluate threat disposition. Remember the old movie WARGAMES where the argument was made to let WOPR run the national nuclear defense network - take the human out of the equation, and look how that turned out. AI cannot replace human involvement - it can supplement it to a good degree and probable that is the larger degree. FASTER too.

As the daughter of two dentists, i would agree to that. But my father always told me that some help in running scenarios for diagnostic could help, though in the end he would make the call. I believe AI can help IT security professional sort through the noise and provide alerts in the rigth direction, human intervention is still needed to review and make the ultimate decision.

This is how AI will help us and we need to see it for what it is, a helping technology, and stop fighting it by fear that it will replace humans one day. I do not believe it will.

A few years ago I was discussing the involvement of computers with medical practice - with a dentist to be precise - and as much as computers (by ext, AI) could and did benefit his business, he also said this. That when a surgeon is cutting and feeling his way around a patient on the table, computers cannot FEEL what his or her fingers FEEL and process that data to the brain. Something to be said for that.

True, but it is life in cybersecurity. Any threat prevention software out there have false positive, AI ( and i do not mean Watson) and machine learning technologies have more capabilities to actually learn from false positive and factored them in their algorithm.

AI must also be capable of detecting an infinite variety of false-positive hits, software that seems malicious, could be but is not after careful review. WATSON is not the solution to everything in the western world.

AI will help IT professionals work smarter, faster with the help of machine learning technologies. If we cannot train a reasonable pool of new IT security professionals to meet the industry needs, AI will start supplementing for that and cybersecurity vendors are embracing the technology at a fast and furious pace.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.